Splunk Search
Highlighted

How to search the total number of users per day?

Communicator

Hello,

I have a field where the user names are recorded. I want to display a timechart with total number of users for a day.

user
------
user1
user2
user5
user6
...
...

Please help me construct the search

index="_internal" sourcetype=splunk_web_access source="/apps/splunk/var/log/splunk/web_access.log" 

Thanks,
Simon Mandy

0 Karma
Highlighted

Re: How to search the total number of users per day?

SplunkTrust
SplunkTrust

If you want total number of users:

index="_internal" sourcetype=splunk_web_access
| timechart span=1d count(user) as total_users

If you want distinct number of users:

index="_internal" sourcetype=splunk_web_access
| timechart span=1d dc(user) as distinct_users

If you want the count per user:

index="_internal" sourcetype=splunk_web_access
| timechart span=1d count as count_user by user

View solution in original post